Search DNSSEC Blog


Monday, December 28, 2009

What is Google Public DNS?

What is Google Public DNS?

Google Public DNS is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider.
To try it out:
  • Configure your network settings to use the IP addresses and as your DNS servers or
  • Read our configuration instructions.
If you decide to try Google Public DNS, your client programs will perform all DNS lookups using Google Public DNS.

Why does DNS matter?

The DNS protocol is an important part of the web's infrastructure, serving as the Internet's phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day.

Why should you try Google Public DNS?

By using Google Public DNS you can:


Tuesday, December 15, 2009

Neustar Implements DNSSEC in the .US Registry

Neustar announced today that it has implemented DNSSEC in the .US country-code top level domain registry.

"This is an important step for Neustar, and gives .US domain name holders a significant way to differentiate their businesses," said Tim Switzer, vice president of registry services at Neustar. ".US now stands for unprecedented Internet security."

Source: Neustar Implements DNS Security Extensions in the .US Registry, Neustar, Inc., Retrieved on December 15, 2009 from

Monday, December 14, 2009

Infoblox Delivers the Industry's Most Automated DNSSEC Solution

Fully Automated Key Management and Rollover Eliminates Barriers to DNSSEC Adoption

Infoblox Inc. today announced availability of additional functionality to help organizations simplify deployment of the Domain Name System Security Extensions (DNSSEC), a suite of IETF specifications for securing information provided by DNS.

Infoblox addresses this with its "one-click DNSSEC" solution that replaces manual key generation and zone signing with a one-click process that generates and securely distributes encryption keys to all appliances in the Infoblox grid that serve DNSSEC data. Infoblox also automates the critical process of periodically changing keys, also known as "key rollover," which is essential to ensuring that secure DNS data cannot be compromised. Keys are rolled over automatically according to best practices recommended by the National Institute of Standards and Technology (NIST-800-81) and RFC 4641 standards. DNSSEC records are signed and re-signed automatically each time DNS data are changed. This eliminates dozens of error-prone, manual operations and eliminates the need to write and maintain custom scripts.

Further, configuring a secondary and/or recursive name server for DNSSEC can also be accomplished with a single click. The solution also automates important administrative functions including easy importing of trust anchors.

Infoblox Vice President of Architecture and DNS expert, Cricket Liu, commented: "Addressing the most threatening DNS security concerns requires a globally coordinated effort to deploy DNSSEC. The functionality Infoblox provides in its purpose-built, highly automated solutions helps organizations overcome deployment challenges by eliminating the complex tasks required to support DNSSEC with conventional solutions."

Pricing and Availability

The most comprehensive DNSSEC functionality is now available in Infoblox NIOS software version 5.0r1, the only core network services solution on the market with a single Web-based graphical user interface (GUI) that provides management of all aspects of the domain name system (DNS), IP address assignment (DHCP) and IP address management (IPAM) infrastructure and data.

The NIOS software version 5.0r1 will be available Dec. 21, 2009. Pricing for the solution on the Infoblox-250 appliance starts at $2,495 in the U.S. Software upgrades are available free of charge for all current customers with a valid maintenance contract.

For more information about Infoblox products, visit:

Source: Marketwire, Infoblox Delivers the Industry's Most Automated DNSSEC Solution, Retrieved on December 14, 2009 from

Tuesday, December 1, 2009

Secure64 DNS Signer Earns FIPS 140-2 Level 2 Security Certification

Product Meets Stringent Cryptographic Security Standards Required for Federal Agencies

Secure64 Software Corporation today announced that the company's Secure64 DNS Signer software appliance will receive FIPS 140-2 Level 2 certification from the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). Secure64 DNS Signer is the first commercial DNSSEC software appliance certified to Level 2. U.S. federal agencies are required to utilize only FIPS-certified products in any federal system that uses cryptography to protect sensitive or valuable information.

"This FIPS certification recognizes the security inherent in Secure64's architecture, which is able to store sensitive information online safely. By combining this security with high speed cryptography, our DNSSEC signing software is able to offer better cryptographic security and performance than other software solutions without the added cost and complexity of cryptographic hardware," said Steve Goodbarn, Secure64 CEO.

FIPS 140-2 is a NIST standard for cryptographic security that defines four levels of compliance ranging from Level 1 to Level 4. Level 1 certification provides assurance that the most basic security requirements have been met, while security requirements become more stringent as the certification levels increase. DNSSEC products use cryptographic digital signatures to protect the DNS, so FIPS 140-2 certification is a good measure of the degree of private key protection provided. No software cryptographic module has ever been certified to Level 3 or 4.

"FIPS certification is increasingly an important foundational technology requirement to drive adoption across the federal government marketplace," said Rishi Sood, Research Vice President at Gartner.

Public key cryptography is commonly used in computer systems to ensure the authenticity, integrity or confidentiality of data communicated across a network. Trust in the security of network communications depends on the degree of security those computer systems provide to protect their cryptographic keys. Without sufficient security, messages could easily be forged or confidential information intercepted.

"Most of our competitors simply use the cryptographic module that ships with the underlying operating system, or an OpenSSL cryptographic module," said Joe Gersch, Secure64 COO and nationally-recognized DNSSEC expert. "These modules may have been certified by NIST to Level 1, but the version of the module that was certified may or may not be the one actually used by the vendor. In contrast, Secure64 DNS Signer actually met the requirements for Level 3 in four of ten categories, and provides mitigation of attacks beyond what is required for certification. This means our software provides significantly more cryptographic security than any other commercial DNSSEC signing software available today."

For more information about DNSSEC and Secure64 DNS Signer, visit

SOURCE: Secure64 Software Corporation, PR NReswire, Retrieved on December 1, 2009 from

Wednesday, November 18, 2009

F5 Highlights New Security Features In BIG-IP 10.1

"Application Delivery Network vendor F5 has rolled out a number of security functionality features on their BIG-IP appliances. Along with enhanced protection against automated scanners and bots, the 10.1 release also delivers DNSSEC compliance, expanded IP geolocation and improved reporting.

For many enterprises, the DNSSEC updates are likely going to be the biggest draw to 10.1. The added security extension, meant to protect domain names from spoofing attacks, provides a trusted link between user and host. Unfortunately, this level of trust does not exist when a traffic manager, such as the BIG-IP's Global Traffic Manager, is redirecting traffic based on location or traffic load. F5's solution is to deliver the signed responses from the BIG-IP itself, making it the trusted host, ensuring compliance without having to re-engineer the application server environment behind it. F5 claims that their BIG-IP DNSSEC solution is the first to market among competitors in the load balancing space."

Source: F5 Highlights New Security Features In BIG-IP 10.1, Michael Brandenburg, Retrieved on November 18, 2009 from

Tuesday, November 17, 2009

VeriSign to offer DNSSEC by Q1 2011

VeriSign announced Monday that it will meet its goal of supporting DNS Security Extensions – dubbed DNSSEC -- in the .net and .com top-level domains by March 2011.

VeriSign has been working on DNSSEC deployment with Educause, a non-profit organization that operates the .edu domain for universities and colleges. VeriSign and Educause are hosting a DNSSEC testbed for universities to trial new DNS authentication mechanisms. VeriSign says it will have DNSSEC fully operational on .edu by March.

“Signing the root is in a testbed right now,” says Pat Kane, vice president of naming at VeriSign. “We will have a deliberate, pragmatic rollout by July 1. Then the entire DNS root zone across the globe will be signed.”

Kane says the trickiest part of deploying DNSSEC across .com and .net is allowing domain name registrars—such as Go Daddy, Network Solutions and—to do the key management for their customers.

Kane says VeriSign plans to have DNSSEC deployed across .net by the fourth quarter of 2010 and .com by the first quarter of 2011.

DNSSEC also needs to be deployed across more domains. VeriSign says it will add these DNS security mechanisms to two more domains that it operates -- .tv and .cc – by the end of 2011.

Corporations with large portfolios of domain names need to make sure that their registrars are rolling out DNSSEC, Kane advises. “These companies don’t just have .com and .net names, but also .info and .biz names,” he adds. “They should be encouraging their registrars to get other [top-level domains] working on this.”

The U.S. federal government is deploying DNSSEC on the .gov domain this year, and the Public Interest Registry announced support for DNSSEC on the .org domain in June. Other countries such as Sweden, Puerto Rico, Bulgaria, Brazil and Czech Republic already support this added layer of security for DNS look-ups.

Source: VeriSign bolsters security for .com, .net sites, Carolyn Duffy Marsan, Network World , Retrived on November 17, 2009 from

Wednesday, October 28, 2009

.eu plans to support DNSSEC

Brussels, 28 October 2009 - EURid is pleased to announce that all .eu
accredited registrars now have access to a .eu DNSSEC testbed.
Providing this access is the first step in .eu support for Domain
Name System Security Extensions (DNSSEC), a protocol that is intended
to make the domain name system more secure.

The testbed will help EURid understand the technical demands of
running the NSEC3 version of DNSSEC in combination with dynamic
updates. It will also help the registry evaluate response times and
measure the performance of zone file generation in the specific .eu
environment. Finally, it will help EURid learn more about certain
administrative processes required by DNSSEC. That includes the
recalculation of signatures during a process which is known as key
roll over.

"We want to work closely with our registrars to find out the best way
to launch DNSSEC together to benefit .eu users," comments Marc Van
Wesemael, EURid General Manager. "At this time, few top-level domain
registries offer DNSSEC support. We encourage all in the community to
help Internet users by embracing DNSSEC." 

Full Article

Source: Retrieved on October 28, 2009 from

Tuesday, October 27, 2009

ICANN Wants To Fast Track Non-Latin Character Domain Names

You may soon see URLs with Arabic characters and other non-Latin letters. The Internet Corporation for Assigned Names and Numbers is pushing a proposal to include Internationalized Domain Names that have native language scripts.

ICANN's IDN initiative, which has been in the works for several years, was presented Monday at the ICANN board meeting in Seoul, Korea, this week. The proposed launch date for the IDN ccTLD (country-code Top Level Domains) Fast Track Process is Nov. 16.

The move is centered on the increasing growth among global Internet users who do not use Latin-based characters, such as in Chinese, Korean and Arabic languages. A copy of ICANN's proposed rules regarding criteria for participation eligibility, language, technical script criteria and more can be found here.

"This is an extremely important meeting for ICANN, since the IDN program is moving one step closer to reshaping the global Internet landscape," said Rod Beckstrom, ICANN president and CEO, in a statement. "In Seoul, we plan to move forward to the next step in the internationalization of the Internet, which means that eventually people from every corner of the globe will be able to navigate much of the online world using their native language scripts."

At the meeting, ICANN also is discussing Generic top-level Domains (gTLDs), which are the end portion of an Internet address name, such as ".com" or ".org" and are not associated with any specific country. The organization said it is developing a new program in which the number of gTLDs will eventually be expanded from its current list of 21 to include almost any word, in almost any language. ICANN is calling for comments about gTLDs. A third draft of a proposed rules and procedures of applying for a new gTLD can be found here.

Internet security issues concerning the domain name system (DNS) are also being addressed at the meeting, ICANN said in a statement, and pointed to the recent Conficker worm threat.

"The threat was met with an unprecedented collaboration between ICANN and top security experts from Microsoft, Symantec and dozens of other companies, software vendors and organizations dedicated to preserving the security and stability of the Internet," ICANN said. "The Seoul meeting will afford an opportunity for security experts to share updates on DNS Security (DNSSEC)."

Thursday, October 22, 2009

Internationalization of the Internet Takes Center Stage at ICANN Seoul Meeting

A program that is expected to make the Internet far more accessible to millions of people in regions such as Asia and the Middle East will be one of the central topics of ICANN’s 36th International Public Meeting in Seoul, October 25-30, 2009.

ICANN’s Board of Directors is scheduled to review an historic measure that could bring initial limited use of Internationalized Domain Names (IDNs) to the Internet before the end of the year. IDNs allow the use of non-Latin based language characters in the entire Internet address, which is expected to vastly increase the number of Internet users in global regions where languages such as Chinese, Korean or Arabic are spoken.

“This is an extremely important meeting for ICANN, since the IDN program is moving one step closer to reshaping the global Internet landscape,” said Rod Beckstrom, ICANN’s President and CEO. “In Seoul, we plan to move forward to the next step in the internationalization of the Internet, which means that eventually people from every corner of the globe will be able to navigate much of the online world using their native language scripts.”

Some of the other major issues to be raised at the Seoul meeting include:
The Affirmation of Commitments: The Seoul meeting occurs only three weeks after ICANN and the U.S. government signed an “Affirmation of Commitments.” The agreement endorses ICANN’s rapid adoption of IDNs. It also supports ICANN’s bottom up global stakeholder model of governance and policy formation and helps guarantee that the organization is globally accountable. The Affirmation succeeds the so-called “Joint Project Agreement” between ICANN and the U.S. Department of Commerce, which called for annual reviews to be submitted to the U.S. government. Those accountability reviews will now go to the global ICANN community. To view a video of Rod Beckstrom’s comments on the Affirmation of Commitments, please click here. You can embed this video on your Web site by clicking the “Get Code” button.

Generic top-level Domains: gTLDs are the end portion of an Internet address name, such as “.com” or “.org” and are not associated with any specific country. Under a new developing program, the number of gTLDs will eventually be expanded from its current list of 21 to include almost any word, in almost any language. The third draft of a proposed “Applicant Guidebook,” which spells out the rules and procedures of applying for a new gTLD, has just been published, and the Seoul meeting will afford participants a prime opportunity to discuss the latest draft. Please click here to review the Applicant Guidebook.

Internet Security: Cyber-security threats are always evolving and changing and the threat to the domain name system (DNS) is always increasing, as the world saw several months ago with the threat from the Conficker worm. The threat was met with an unprecedented collaboration between ICANN and top security experts from Microsoft, Symantec and dozens of other companies, software vendors and organizations dedicated to preserving the security and stability of the Internet. The Seoul meeting will afford an opportunity for security experts to share updates on DNS Security (DNSSEC).

All interested journalists are encouraged to attend the ICANN meeting in Seoul at the Lotte Hotel (1, Sogong-dong, Jung-gu Seoul, Korea 100-721), October 25-28, 2009. All meetings are open to the public. Registration is free and reporters will have access to the Internet via ICANN’s free WiFi system. Media kits will be available at the “Media Desk” near the main registration area.

You can find out everything you need to know about the Seoul meeting here:

Wednesday, October 21, 2009

US Department of the Interior To Use Secure64 DNSSEC Appliance

The US Department of the Interior has purchased Secure64 Software Corporation's DNS Signer product to meet the Office of Management and Budget's December 2009 mandate that requires all federal agencies to add Domain Name System Security Extensions (or DNSSEC).
The Department of Interior is the latest in a growing list of government agencies that has selected Secure64 DNS Signer, according to its Wednesday announcement. With DNS responsible for translating between host names and IP addresses on Internet-connected systems, the OMB issued a mandate that all federal agencies must implement DNSSEC by December 2009 as part of its cyber security strategy.

"DOI required a solution able to sign for the entire department, including all component bureaus and offices, so scalability was a factor in our decision," Department of Interior chief technology officer William Corrington said in a statement. "Even more importantly, we needed an automated product with the highest level of security to prevent signature forging. We selected Secure64 DNS Signer because it met all of our requirements and successfully completed a pilot deployment in three days."

In addition to managing the natural resources of the US, Secure64 chief executive officer and director Steve Goodbarn said DOI has been prepared for natural disasters, such as floods, wildfires, and earthquakes. "The resiliency of their Internet communications is critical to meet these missions and the department has taken a leadership role in deploying an efficient and reliable IT architecture," Goodbarn said in a statement. "We are proud to be part of these efforts and to enable reliable, timely, and cost-effective deployment of DNSSEC."

Source: "US Department of the Interior To Use Secure64 DNSSEC Appliance", David Hamilton, Retrieved on October 21, 2009 from

Thursday, October 8, 2009

First root server provides a DNSSEC-signed zone as of December 1st

"Joe Abley of ICANN and VeriSign manager Matt Larson announced, at the 59th meeting of the "Réseaux IP Européens" (RIPE) in Lisbon, that, starting on the 1st of December, the central root zone of the Domain Name System (DNS) will be signed, deploying the DNS Security Extensions (DNSSEC) protocol, which has been discussed for years. However, the signed root zone will be distributed only gradually to a total of 13 root servers, while the public key is slated for distribution starting on the first of July, 2010. Responses cannot actually be validated until then. DNSSEC is designed to ensure that responses to DNS requests only come from authorised servers.

Ever since security expert Dan Kaminsky showed how easy it was to falsify such responses and deceive users issuing requests, experts have been under pressure to introduce DNSSEC. The US Department of Commerce released the date of the accelerated implementation, and also decided that VeriSign and ICANN should work together to sign the root zone.

Attendees at RIPE welcomed the news that DNSSEC was finally being deployed. Olaf Kolkman of Nlnet Labs called the gradual approach, "smart". Abley explained that the decision to proceed gradually was intended to prevent DNS from buckling under the load of the anticipated huge number of responses to root server requests. He said that, it is important to observe how many servers on the net re-route the signed responses and use unsigned variants whenever a root server provides the signed zone.

The design choice of a 1024 bit RSA root zone key, rather than the longer 2048 bit key, may have also been due to the ambitious deployment date. The zone will be signed with NSEC instead of the next generation NSEC3 standard. Because it is valid for only four months, the chosen key should be adequate, despite directives from US authorities to migrate to longer keys. The master key, however, will use the longer variant (2048 bit RSA). That key will only be changed every two to five years.

In recent months, increasing numbers of ccTLD managers have announced plans to sign their zones with DNSSEC. Most recently, the Swiss .ch and .li registry switch announced the change to DNSSEC. At the RIPE meeting in Lisbon, Sara Monteiro of the FCCN .pt registry, said that she was just months away from DNSSEC signing. DeNIC, on the other hand, recently started a two-year trial programme. The more dense the DNSSEC chain becomes, the more secure it will be. However, experts expect some drawbacks as well; especially domains that cannot be accessed because responses are not signed on time."


Wednesday, October 7, 2009

DNSSEC Deployment Heads North

The .ca Canadian country code domain opens up a DNSSEC testbed

"TORONTO -- The global movement toward a more secure DNS infrastructure has gained another convert. The dot ca (.ca) country code Top Level Domain (ccTLD) now has an open public DNSSEC testbed to help secure the more than 1.2 million domains it manages.

The move was formally announced at the SecTor security conference underway in Toronto.

The move by dot ca places it in good company, joining other top level domains like .org in beginning to prove out and test DNSSEC in its infrastructure. Moving to DNSSEC on a global basis is a key security effort that could ultimately make the Internet safer for all.

DNSSEC provides cryptographic authentication of DNS information to ensure integrity and authenticity. The need for better DNS security became a big IT issue in mid-2008 when the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to cache poisoning attack.

Vendors rushed out patches to the DNS vulnerability, although experts have suggested that DNSSEC is the ultimate solution to the problem. DNSSEC is a technology that has been available since at least 2004, but it is only now that adoption is growing.

Norm Ritchie, CIO of the Canadian Internet Registration Authority (CIRA), told the SecTor audience that now is the right time to test out DNSSEC. Ritchie noted that other countries and top-level domains are now testing it out and there is a lot of momentum in the global networking community for the effort.

According to Ritchie, the goal of the dot ca DNSSEC testbed is to get feedback on the process and the system ahead of a full scale deployment sometime in 2010.

The dot ca testbed is now in what Ritchie described as a 'friends and family' phase for all interested parties. Ritchie was hoping that those in the SecTor audience would be among the interested parties.

CIRA is using the services of DNSSEC vendor Xelerance in its testbed. Paul Wouters of Xelerance explained to attendees how both simple and complex it can be to actually get a dot ca domain ready for DNSSEC.

For users to enable their PCs and networks to accept DNSSEC secured domains, Wouters explained that all users need to do is to point to a DNSSEC activated DNS resolver. Wouters added that for the SecTor wireless network, such a DNS resolver was in place, meaning users were already benefiting from any DNSSEC protected domains.

For domain holders and DNS administrators, the process is a little more involved. Wouters said that with open source BIND DNS version 9.6 or higher, there are included tools to help users generate DNSSEC encryption keys.

Once a key has been generated, the user must visit the CIRA DNSSEC testbed site and manually activate the key on the dot ca servers.

While the process might seem straightforward, Wouters warned that there are risks.

"The problem with DNSSEC is if you make a mistake, your domain is gone," Wouters said. "So we've added a domain check procedure to make sure everything is okay." "

Source: Sean Michael Kerner, DNSSEC Deployment Heads Northm October 7, 2009, from

Tuesday, October 6, 2009

Labor Employs Secure64 DNS Signer Department-Wide to Meet OMB Mandate

"DENVER, Oct. 6 /PRNewswire/ -- Secure64 Software Corporation announced today that the U.S. Department of Labor has purchased the company's Secure64 DNS Signer product to meet the OMB DNSSEC implementation mandate and increase security of its Internet infrastructure, including DNS services. The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the correct operation of any Internet enabled device. The six figure contract was purchased on the SEWP government contract through Secure64 partner Alvarez & Associates, a leading IT systems integrator for the federal government.

Secure64 DNS Signer is a software product that fully automates Domain Name System Security Extensions (DNSSEC) key generation, key rollover, zone signing and re-signing processes. It reduces deployment and administration costs while eliminating errors that can cause domains to become unavailable. The software also scales to extremely large, dynamic environments by safely keeping DNSSEC signing keys online while providing incremental zone signing and extremely high signing performance.

DNSSEC adds a critically needed level of trust to the Internet by allowing users to know with certainty that their Internet-based communications such as web site visits, email correspondence and even SSL and VPN sessions actually connect to the parties they intend to reach. DNSSEC thwarts attacks such as pharming, cache poisoning and DNS redirection that have been used to commit fraud, distribute malware, or steal personal or confidential information. Due to its importance, the United States Office of Management and Budget issued an OMB mandate that all federal agencies must implement DNSSEC by December 2009.

For more information about DNSSEC, Secure64 DNS Signer and Secure64 DNS Authority, visit"

Source: PR Newswire, Retrived on October 6, 2009 from

Wednesday, September 30, 2009

ICANN’s New US Contract And New Top Level Domains - It’s Not Over

"With a day to go before the joint project agreement between the Internet Corporation for Assigned Names and Numbers (ICANN) and the United States Department of Commerce (DoC) is set to expire, calls for continuous US oversight role have been reiterated by US politicians and private-sector representatives who reason that this oversight is especially needed in the face of the planned introduction of new internet top-level domains like .shop.

ICANN is a “captured regulator,” the Coalition Against Domain Name Abuse (CADNA) warned last Wednesday and asked for additional oversight by the Department of Homeland Security (DHS), as ICANN is “risking cybersecurity, national security and global security.” Yet The Economist magazine ran an opinionated story only a day later asserting that ICANN would be “independent,” under the new contract conceding that the core infrastructure managed by ICANN - the domain-name system (DNS) root zone - will still be controlled by US authorities.
So it’s not over, neither the disputes about new top-level domains (TLDs) nor those about further internationalising internet domain name system oversight.

ICANN was founded in 1998 to organise private-sector, bottom-up and multi-stakeholder management for the coordination of the DNS and also IP addresses and so-called protocol parameters. It has since been at the centre of a heated debate about the roles of the US, but also global governments, industry and civil society groups in internet governance.
Broadsides at ICANN

While it had been quiet about the deadline of its joint project agreement (JPA) over the last month, last week ICANN saw some broadsides fired at its TLD expansion plans and its work record in general that would have been suitable for lobbying by US companies and trademark owners seeking to preserve US control. ICANN is “not independent,” “not transparent” nor “accessible,” is only after its own profits and is risking the stability and security of the internet it is tasked to protect, wrote CADNA, that lists companies like Verizon, HP, Dell, but also non-telecommunications, non-information technology members like Goldman Sachs or Wells Fargo, Nike or Hilton Hotels. CADNA called for a “full-scale audit of ICANN."

The group requested that a special federal commission take up to twelve months “to fully audit ICANN and develop recommendations for a revised and updated JPA.” The introduction of new TLDs also came under fire from CADNA who dismissed the roll-out as “poorly conceived.”
Steve DelBianco, chairman of the Net Choice Coalition, representing companies like VeriSign and eBay, complained at a 23 September hearing of the House Judiciary Subcommittee on Courts and Competition Policy that ICANN had “got sidetracked” in the process of introducing new TLDs.

“ICANN should refocus on international labels [domains],” DelBianco said. Countries like China have long asked for internationalised, non-Latin domain names at the highest level. By opening up the TLD expansion to every new Latin-script string and complicating and slowing the process instead ICANN has risked the “splintering of the single root system,” he said, because “China has got tired of label makers and made a mini-ICANN of their own sitting on top of ours.” DelBianco neglected to mention that his parallel proposal to allocate the Chinese versions of .com, .net to the registries managing the English versions like VeriSign likely would not amuse the respective countries.

DelBianco, joined by Richard Heath, president of the International Trademark Association argued, that new generic TLDs in English would not bring innovation. Heath said it would instead “decrease competition if we (the trademark owners) have to fund a lot more defensive registration“ and this would also divert resources from innovation and from investment in corporate social sponsorship projects.

Congressional Members: New TLDs Require Oversight of ICANN
Several members of Congress seemed to agree with the two trademark right representatives. Chairman Hank Johnson (Democrat, Georgia) for example said: “I do not understand [why] they want an unlimited expansion of the name space.“ Johnson acknowledged non-Latin TLDs and initiatives like .nyc and .eco have merit. Given the planned expansion, US oversight over ICANN’s process continued to be necessary to provide stability and security for domain name owners, he said.

Republican Congressman Howard Coble (North Carolina) warned that ICANN by proceeding with the expansion of the name space had “not for the first time ignored what one might think is a mandatory instruction.” Governments in ICANN’s own Governmental Advisory Committee (GAC) had raised concerns about the new TLD process, and the DoC had asked for economic proof of the necessity of new TLDs, he said.

A week earlier a study from Interisle commissioned by ICANN also had recommended first introducing a new security feature to the DNS, the DNS Security Extensions protocol (DNSSEC), before moving on with the introduction of new TLDs, said Coble. The study on “Scaling the Root” in fact concluded ICANN could for stability reasons either introduce new gTLDs, new international (IDN) TLDs and next generation internet (Ipv6) or DNSSEC. It recommended to start with the latter, which will authorise answers to name requests in the DNS and therefore make forgery more difficult. The DoC already has announced that DNSSEC should be introduced by the end of this year. To amalgamate the complicated technology into the DNS system, root operators and the community should be given 12 to 15 months before another addition to the system is started, the study found.

ICANN: No Link between JPA and new TLDs

ICANN officials rejected the link between the dispute over TLDs and the JPA contract discussions. ICANN’s new CEO, Rod Beckstrom, in a letter dated 22 September wrote to several congressmen who had asked for legislation to make US oversight permanent by legislation, that consultations on the IP issues were still underway. “There is no link to the conclusion of the JPA,,” he said.

ICANN Chief Operating Officer Doug Brent at the hearing outlined the process on the future application procedure for new TLDs as an ongoing discussion: a third version of the extensive applicant’s guidebook would come out beginning of October, Brent said. Several protective measures that were proposed by the “Implementation Recommendation Group“ (IRT) were called upon by ICANN’s board chairman. The IRT work was seen by other ICANN stakeholder groups including registries, registrars, and non-commercial domain name holders as yet another round for the IP community of undermining and bypassing the multi-stakeholder process that had worked for months for a consensus.

“We will not allow an expansion that will not adequately protect trademark owners,” reiterated Brent, and “it will not be an unbridled expansion.” Delaying the process begun as part of ICANN’s overall mandate to bring competition to the originally monopolistic domain name system according to Beckstrom and Brent would only serve “to perpetuate existing market conditions: concentration within some existing registries, with most short generic strings unavailable and those that trade on the value of the current marketplace, holding portfolios based upon the value of current .com.”

Support for ICANN’s process to now finally push through with new generic TLDs and non-English TLDs came from a coalition of domain name registries like Core, registrars like ENOM, declared applicants for new TLDs including the competitors for the .eco TLD of which one is supported by former Vice President Al Gore and a Commissioner of the Canadian Regulatory Authority (CRTC). In their letter to the ICANN Board, the pro-TLD coalition urged ICANN to initiate the new TLD application period without further delay as it would bring more competition and consumer choice and avoid chaos stemming from an alternative addressing scheme that would pop up if ICANN gave in to what they see as fearmongering and “narrow arguments advanced so vociferously by those who seek to preserve their advantages.”
End of the JPA, No End to US Control

So what will happen with a new agreement in place this week? ICANN officials so far have not responded to requests for detailed information. Beckstrom in his letter to the congressmen dated 21 September wrote: “I am in discussions with the NTIA (DoC National Telecommunications and Information Administration) to establish a long-standing relationship to accommodate principles including the beliefs that ICANN should remain a nonprofit corporation based in the United States, and should retain an ongoing focus on accountability and transparency.“ ICANN should be made a permanent institution, said Beckstrom, adding, “Accordingly, ICANN seeks to have a long-term relationship with the United States government and also seeks to build long-term relationships with other countries and contractual partners as well.“

By the end of last week The Economist came out with leaked information about an “independent“ ICANN, quoting a four-page paper about “affirmations and commitments” that envisaged four oversight panels over ICANN, checking on “competition among generic domains (such as .com and .net), the handling of data on registrants, the security of the network and transparency, accountability and the public interest.” The US would only retain a permanent seat in the latter one, and representatives of “foreign governments” would be included in the oversight panels. The agreement sets up oversight panels that include representatives of foreign governments to “conduct regular reviews of ICANN’s work in four areas.”

The potential new oversight model would partly answer long-standing requests for internationalisation, not the least from non-US governments, according to Wolfgang Kleinwächter, an internet governance expert and head of ICANN’s Nominating Committee. The member states of Europe have passed another version of their “Guidelines on International Management of the Domain Name System” demanding further development of the private-sector-led bottom-up multi-stakeholder model for the technical coordination and the day-to-day management of the DNS, continued efforts towards full transparency and accountability and, notably, a “strengthened” GAC “that has increased active membership (in particular from developing countries), greater involvement in ICANN’s policy development processes [..] and effective secretariat support.”

GAC members might be the ones who could fill the oversight panels, one can speculate, and this might have come up during talks the NTIA held with the EU Troika (Sweden, Spain and the European Commission) at a meeting on the first of September, one of several meetings NTIA had with governments around the world in the run-up to the JPA deadline.

The EU guidelines also state a need to stipulate and support dialogue and cooperation on public policy issues pertaining to the internet“ in general, a possible hint of the need for continued discussions at the upcoming UN-led Internet Governance Forum in Egypt. The guidelines do not touch on the new TLD process, yet recommend “the establishment of an arbitration and dispute resolution mechanism base on international law in case of disputes.” The burden to go to a California court to appeal against a California-based ICANN decision has been mentioned at many new TLD events in Europe recently.

In the end, a change in the JPA might bring some changes and pacify some concerns over an overly US-centric ICANN. “From what I read, it looks like a smart move,” said Kleinwächter. What it will not bring is “independence” as ICANN will continue to be a government contractor for what is the core “critical resource” - the root zone and internet protocol address allocation management which are delegated via a separation contract, the Internet Assigned Numbers Authority (IANA) contract. US authorities have always declared that they will hold on to that one.

So after the JPA, it’s not over and discussions about the new TLDs can be expected to continue, too, for a long time.
Monika Ermert may be reached at"

Source: ICANN’s New US Contract And New Top Level Domains - It’s Not Over, Monika Ermert, Retrieved on September 30, 2009 from

Friday, September 25, 2009

Nominum shoots for the cloud

The firm is using the cloud model to accelerate take-up of its Intelligent DNS systems, which feature enhanced security capabilities compared to legacy DNS systems, such as preventing users from being directed to unwanted, illegal or malicious content.

“We believe intelligent DNS needs to be ubiquitous to reach all parts of the internet, especially those enterprises and mid-tier ISPs for whom a full software solution may have until now been out of reach in terms of budget and expertise,” said Skye’s general manager, Jon Shalowitz.

“This is like adding fluoride to the water security safeguards built into the network because the threats are getting worse and legacy DNS systems don’t have the intelligence built in to understand what’s bad and what’s good.”

Skye will be offered in four separate but complementary services. The most basic is Skye Secure an authoritative service with full DNSSec support for enterprises and ISPs who want to protect their online apps and sites from threats.

Skye Core is intended for the same customers who want to shore up their internal DNS and cache servers, and this can be extended with Skye Trust a real time threat management service which could act in lieu of third party web filtering technology, said Shalowitz.

Skye Search, finally, is a turnkey search destination solution for ISPs, providing their customers with navigation assistance and search recommendations for a wide range of user-based DNS errors.

Source: Nominum shoots for the cloud, Loulith Galenzoga, Zikkir Information Technology News, Retrieved on 23 September 2009 from

Tuesday, September 22, 2009

DNSSEC: Bolstering Internet Security - .ORG

Alexa Raad, CEO of .ORG, The Public Interest Registry and Ram Mohan, CTO and EVP of Afilias provide a brief video statement on the need for Domain Name System Security Extensions (DNSSEC) in the community and their dedication to widespread adoption and deployment within the Domain Name industry.

Nominum introduces cloud-based version of Intelligent DNS with SKYE

Nominum has taken the next step with its intelligent DNS format and offered a cloud based version of it.

Named SKYE, the service will offer ‘pay to use' cloud-based infrastructure services to a broader range of ISPs. It will allow large and small enterprises to provide their end-users with increasing protection and improving relevance when navigating the internet.

The intelligent DNS is currently used by 170 million households and 100 service providers globally. The company claimed that by extending access to its carrier grade DNS software through a service-based model, internet navigation, safety and security will be vastly and swiftly improved for all broadband users.

SKYE vice president and general manager Jon Shalowitz claimed that the idea was to take the intelligent DNS and make it available through the cloud. Shalowitz said: “This is a hosted model, the goal is to allow some level of security and policy based control and allow it to be accessible to all networks. This is very attractive to business models that want to leverage the best software but control cost.

“It carries a wealth of information, not only the DNS input from a technology standpoint but it will tell you when things go wrong.” He also claimed that this will present a solution to people who use freeware ‘or something in Microsoft'. He said: “We are seeing a groundswell of integration from ISPs but they need to know how to bring intelligent DNS to the rest of the internet. SKYE is about taking the intelligent DNS to 100 per cent of users.”

SKYE has been established as a separate business unit from Nominum's existing software business, with considerable investment made to establish a global data centre presence and recruit staff to grow and market the business and manage service delivery.

It comprises four service offerings providing an end-to-end DNS solution: SKYE Core is a caching DNS service for Tier 2 & 3 ISPs and enterprises; SKYE Secure is an authoritative (external) DNS service supporting DNSSEC aimed at both ISPs and enterprises; SKYE Search is a turnkey search destination solution for ISPs to help redirect users responsibly to the right website; while SKYE Trust is a threat management service for ISPs which blocks malicious activity on the internet such as malware, botnets, spam and abhorrent content in real-time.
Shalowitz said: “DNSSEC creates a secure layer that is almost an SSL connection, this will ensure that there is no man-in-the-middle attack and confirms who you are. SKYE supports it and it is DNSSEC ready.”

Friday, September 18, 2009

Iran testing DNSSEC domain security

From the 'No UN Inspectors Required' files:

The Islamic Republic of Iran is now testing out DNSSEC (DNS Security) for the its dot ir (.ir) country code domain.

That's right, Iran is now improving the security of its domain. Politics of what is going on in Iran (elections, nuclear aspirations) aside, the move towards DNSSEC is a good thing. According to Iran's nic @ir domain registration authority, a DNSSEC testbed began operations on Aug 30, 2009 and will continue until Feb 26, 2010.

Iran will be joining .se, .org and .edu (among others) as DNSSEC secured domain space. This means that at some point in 2010, the authenticity and security of domain holders in Iran will be better than it is today.

No one should really be surprised by this move as the move to DNSSEC is at this point a global movement that is now really starting to pick up momentum.In the summer of 2008, the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to attack. The ultimate solution to the DNS vulnerability according to many security experts is DNSSEC (DNS Security Extensions) While the total number of actual domains secured by DNSSEC today is relatively small by my count, it's a number that I expect to grow exponentially in 2010.

Tuesday, September 15, 2009

BIND 9.7.0a3 is now available


This is a technology preview of new functionality to be
included in BIND 9.7.0. Not all new functionality is in
place. APIs and configuration syntax are not yet frozen.

BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.

New features include:

- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace an assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support (see
README.pkcs11 for additional details).

Additional features planned but not included in this alpha release:

- Fully automatic signing of zones by "named"
- Additional PKCS#11 support, including multiple OpenSSL engines

BIND 9.7.0a3 can be downloaded from:

Friday, September 11, 2009

.edu getting secured with DNSSEC

DNSSEC is the smart, educated way to secure DNS right?

Ever since security researcher Dan Kaminsky big DNS security disclosure in 2008, the need for DNSSEC, which provides integrity security for DNS information has been obvious. Yet relatively few top level domains (TLDs) have actually signed their zones for DNSSEC.

The .edu (for education) TLD, operated by Educause is now set to join the ranks of DNSSEC secured TLDs by March of 2010. A testbed is set to be in place this month to begin the preliminary work. Educause manages the .edu TLD under an agreement with the U.S Department of Commerce.

"The Internet plays a vital role in higher education by facilitating online learning, collaboration, and research," said Lawrence E. Strickling, Assistant Secretary for Communications and Information at the Department of Commerce in a statement. "We are pleased that DNSSEC will be implemented in the .edu domain, which complements work already underway to better secure the Domain Name System overall."

This is clearly good news and further adds to the momentum that DNSSEC is now enjoying.

From my vantage point, I see 2010 as the year of DNSSEC with the beginning of wide adoption. I still think it will take a year (or more) until the whole Internet is secured (if ever) but there is light at the end of the tunnel.

Friday, August 28, 2009

NIST releases new draft of Special Publication 800-81 on securing DNS

A second draft of the proposed revision of Special Publication 800-81 has been released for public comment. This release incorporates suggestions received on the first draft, released in March, and also includes guidance on migrating to a new cryptographic algorithm for signing a zone, for migrating to NSEC3 hashing specifications to provide authenticated denial of existence response, and a discussion of DNS Security Extensions (DNSSEC) in split view deployments.

The draft is expected to be finalized and published as SP 800-81r1 following the close of the public comment period on Sept. 30. Comments should be sent to

NIST SP 800-81 R1 Round 2 DRAFT Download

Source: NIST releases new draft of Special Publication 800-81 on securing DNS, Government Computer News, William Jackson, Retrieved on Aug 27, 2009 from

Thursday, August 20, 2009

Nominum to offer DNS 'blacklist' capability

Nominum plans to announce today a novel DNS security capability that functions like a spam blacklist, providing automated, real-time checking of DNS queries against a list of Web sites that are known to be malicious.

Nominum's Trusted Response and Universal Enforcement (TRUE) architecture is already in use by several ISPs supporting a combined 100 million broadband households. Nominum wouldn't identify these ISPs, but its Web site says its carrier customers include Verizon, Sprint, NTT Communications and other major industry players.

Now Nominum is making its third-generation DNS software that features the TRUE architecture available to corporations and other enterprise customers.

Source: Computer World

Wednesday, July 29, 2009

High-risk DNS exploit goes wild

BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message


Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)
Active exploits:
An active remote exploit is in wide circulation at this time.

Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:


Tuesday, July 28, 2009

Experts Show the Way Towards a Better, More Secure Internet for Everyone

Internet Society - STOCKHOLM - Some of the world's leading experts met in Stockholm today to discuss how the Internet can become more secure through a full implementation of new security standards in the Domain Name System (DNS).

The Domain Name System is a critical operational element of the Internet, creating a user-friendly environment that allows names to be mapped to host addresses (for example, web and email servers). However, this system is not safe from tampering. Earlier this year, one of Brazil's biggest banks suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware.

Many experts are calling for a full-scale implementation of Domain Name Security Extensions (DNSSEC) which could protect the Internet from these types of attacks, such as the Kaminsky Bug. Patrik Wallström of .SE (the Top Level Domain Registrar for Sweden) explained that Kaminsky attacks can trick Internet users by taking over domain names and redirecting queries to another server. All applications are at risk including among others our email and online transactions.

Leslie Daigle, Chief Internet Technology Officer of The Internet Society (ISOC), which organized the event: "DNSSEC effectively wraps tamper proof packaging around the data being requested to assure the user that the information is what was shipped from the authentic source."

"While DNSSEC isn't a magic bullet, it is a very important starting point that allows us to start evaluating how to secure the many applications that are intertwined with the Domain Name System," explained Jim Galvin, speaking on behalf of the Public Interest Registry that manages the .org domain name.

Richard Lamb, DNSSEC Programme Manager of ICANN added that "momentum has been building up. Today there is a generalized awareness that we need to implement the security extensions already at the root of the domain name system. With the widespread deployment of DNSSEC, we will be able to create a platform for innovation, new product development and international cooperation."

Matt Larson, Vice President of DNS research at VeriSign, one of the world's leading providers of network infrastructure services discussed VeriSign's plans for deploying DNSSEC in .com and .net. He said: "We are committed to the application of DNSSEC and have had a long history of involvement in its development. We are planning to have .net signed by the end of 2010 and .com signed in early 2011."

Securing the DNS panelists:

Patrick Wallström, SE Richard Lamb, ICANN Olaf Kolkman, NLnet Labs Leslie Daigle, The Internet Society Jim Galvin, Public Interest Registry Matt Larson, VeriSign
More details of the event, including presentations at:

Source: Internet Society - Retrieved on July 28th from

Friday, June 26, 2009

International politics slows full deployment of DNSSEC

A growing number of generic top-level domains, including .gov and .org, are deploying DNS Security Extensions to help ensure the reliability of the Domain Name System. But full deployment of the extensions is moving at a glacial pace. Part of the problem is the complexity of managing the cryptographic keys used to sign DNS data and authenticate queries and responses. But one Commerce Department official said another part of the problem is international concern about the United States controlling the Internet. In many cases, the challenges faced are diplomatic rather than technical. The official likened the process of bringing the international community on board to herding cats.

Commerce has put much of the job of managing the Internet into the hands of the Internet Corporation for Assigned Names and Numbers, a nonprofit organization formed for that purpose. But Congress is unwilling to give up its oversight of a network the Defense Department originally created, and that worries some who see the Internet as a global resource.
Individual entities can handle many aspects of Internet security at the endpoints. But because DNS underlies virtually all Internet activity, securing it effectively is best done at a higher level. Hopefully, deploying DNSSEC won’t prove to be as challenging as achieving peace in the Middle East.

Source: Government Computer News, By William JacksonJun 25, 2009 Retrieved from

Monday, June 15, 2009

BIND 10 Set to Update DNS - Work is now underway for a major rewrite of the popular, open source DNS tech.

"DNS Security Extensions (DNSSEC) is a critical part of the BIND 9.x server, though DNSSEC itself is not yet widely deployed. DNSSEC offers a mechanism for digitally signing a domain name to ensure its authenticity. The technology has been widely hailed as the ultimate solution to the Kaminsky DNS flaw.

However, among the major top-level domains, currently only .org is now signed for DNSSEC. In BIND 10, a key goal is to make it easier for DNS administrators to actually manage DNSSEC. Kerr said it'll do that by improving usability.

"There is a lot of missing functionality for DNSSEC, such as full automation of DNSSEC," he said.
Kerr explained that with BIND 10, it may be as simple as clicking the "sign this zone" button on the administration interface to implement DNSSEC.

It will also provide handholding to admins in other ways.

"BIND 10 might warn administrators when signatures are soon to expire, or indeed have expired," Kerr said.

Release date?

In terms of timing for the actual BIND 10 release, Kerr said that the first deliverable is an authoritative-only server, which is scheduled to be delivered a year from now. "We expect the total development to take five years, at which point the software will enter maintenance as a relatively mature product," Kerr said.

The challenges in building the new BIND 10 server are as much about the new technology as it is in keep existing BIND 9 users happy.

"BIND 9 is the most successful piece of DNS software ever written," Kerr said. "ISC needs to insure that BIND 9 users are happy until BIND 10 is ready to replace it. This means there is a tension between improving the 'old' product and working on the 'new' one."

"One of the goals of BIND 10 is that it will be a 100 percent drop-in replacement for BIND 9, but there is always resistance to change in the computer world," he added.
Source: Sean Michael Kerner, Retrieved on June 11, 2009 from

Tuesday, June 9, 2009

ICANN Calls on UK and Global Broadband ISPs to Adopt DNSSEC

The Internet Corporation for Assigned Names and Numbers (ICANN), which manages the Domain Name System (DNS), has called on ISPs around the world to start moving towards adoption of Domain Name System Security Extensions (DNSSEC). DNS translates IP addresses into human readable form (e.g. becomes but it is flawed, which can result in legitimate website addresses being diverted to malicious sites by hackers.

To solve this problem DNSSEC was developed, which uses a combination of encryption, origin authentication of DNS data, data integrity and authenticated denial of existence checks to prevent hackers from easily being able to hijack websites and domains from legitimate servers. It won't stop Distributed Denial of Service (DDoS) attacks, where a server is bombarded by masses of requests and ultimately crashes, but it will prevent most current hacks.

This is clearly a very important step towards making the Internet more secure. However ICANN admits that without support from both ISPs and application developers around the world then it may not succeed. ICANN is now pushing for full adoption of DNSSEC but notes that it will initially result in a two-tier Internet between users of secure and unsecure platforms:
The CEO of ICANN, Paul Twomey, told ZDNet UK : "[IT IS] important to get the application-layer community involved and to recognise that DNSSEC should move through all applications.

It's going to take some time to deploy and further discussions, as there are a lot of implementation issues for ISPs in how they support DNSSEC. [USERS] will have to have access to both signed and unsigned roots. It's not like we can turn DNSSEC on tomorrow."DNSSEC itself is nothing new and ICANN has reportedly been pushing for it since 2005, although political squabbles over who manages the Internet have held up progress. Happily agreements have now been reached and ICANN are finally in a position to push forward, although much like moving to IPv6 - it could still take many years to fully deploy.

To the average broadband consumer this will seem like little more than techno-babble that has no bearing on their experience. In reality it's a bit like putting an immobiliser and alarm in a car that previously had neither.

Source: MarkJ, ICANN Calls on UK and Global Broadband ISPs to Adopt DNSSEC, Retrieved on 9 June, 2009 from

Wednesday, June 3, 2009

.org TLD Signed with DNSSEC

Internet infrastructure services and domain name registry technology provider Afilias ( has signed the .org zone with domain name security extensions for the Public Interest Registry (, the company behind the .org top-level domain name, effectively making it the first open TLD to fight DNS hijacking using DNSSEC.

Monday, May 25, 2009

DNSSEC Industry Coalition Symposium Is Announced

The DNSSEC Industry Coalition Symposium is announced to be held June 11-12, 2009, in Washington, DC in collaboration with Google, Nominum, Inc. and the Internet Corporation for Assigned Names and Numbers (ICANN).

The purpose will be to discuss and identify potential and perceived issues with the Domain Name System (DNS) and DNSSEC deployment due to signing the DNS root zone. During the first part of the symposium, participants will present issues along with any proposed solutions. During the second part, recommended solutions or next steps for reaching solutions will be discussed.

The Coalition Symposium participants are from the global community of DNSSEC software vendors, root operators, ISPs and other resolver operators, DNS security community, and others. The results from discussions will be published in a Coalition Report and will be available directly after the symposium.


Tuesday, May 12, 2009

Internet users trying to reach Google Morocco were, for a few hours, sent to a Web site unaffiliated with Google

Google says that while visitors to its Moroccan Web site may have been misdirected over the weekend, its Web site was not hacked. On Saturday, a report on ArabCrunch said that Google Morocco had been hacked, based on a tweet from Habib Haddad, founder of the Google-powered Arabic search engine Yamli.

A screen shot posted by Haddad (above) suggests that Google's Moroccan Web site was defaced. But according to a Google spokesperson, "Google services in Morocco are not hacked. Since Friday PST, some users visiting "" were redirected to a different Web site. We're in touch with the appropriate hosting service to help investigate the issue."

What appears to have happened is that some domain information associated with Google Morocco was altered, allowing the attacker to send Internet users seeking Google Morocco to an alternate site. The distinction matters to Google because the security vulnerability that permitted the hijacking would have to reside in software or hardware operated by a third party rather than in a machine operated by Google.

As a practical result of the attack, Internet users trying to reach Google Morocco were, for a few hours, sent to a Web site unaffiliated with Google. Service has been restored.
Security researchers, such as Dan Kaminsky of IOActive, have been warning that infrastructure attacks represent a growing threat to Web sites. "The reality is the bad guys are out there, and they're learning," Kaminsky wrote in a blog post in March. "Just as attackers moved from servers to clients, some are moving from compromising a single client to compromising every client behind vulnerable infrastructure."

Other recent DNS attacks have reportedly affected a domain registrar serving Puerto Rico and a bank in Brazil. Kaminsky and other security researchers have been supporting the move to DNSSEC, an extension to the DNS system that allows domain information to be authenticated.

Source: "Google Morocco Not Hacked, Company Insists", Thomas Claburn, Information Week, Retrived on 05/11/2009 from

Tuesday, May 5, 2009

House Energy and Commerce Subcommittee on Communications, Technology, and the Internet Hearing

"Often, the security industry, through hard work, coordination, knowledge and frequently, pure luck, are able to mitigate the effects before end users notice them. In most cases, these attacks never come to public notice. However, just a few minutes of effort with Google, searching for the terms "DNS and DDoS", and "cache poisoning", and "keystroke logging" will bring thousands of links to reports of successful breaches of Internet defenses. I'll focus on some events that have occurred or have been identified publicly in the last month.

In the first attack, on April 1st, 2009,, one of the major Internet domain name registrars, was attacked by the use of a DNS DDoS. In this attack, the attackers caused tens of thousands of compromised computers to flood the DNS or directory servers of the victim with bogus DNS requests, effectively rendering the directory servers unusable. In this particular case, hundreds of thousands of organizations became unreachable because provided the DNS service for their domains. This attack lasted a number of hours, but the effects lingered for a few days.

A second event occurred on April 12th that is far more insidious for average Internet users. The DNS servers of a large Brazilian ISP, Virtua, were compromised and their cache, or their local temporarily stored domain name and address directory, was "poisoned". The entry for one of Brazil's major banks, Bradesco, was modified by re-directing users to a fake website that was an exact copy of the Bradesco site, but was controlled by cybercriminals. This poisoned entry remained in place for five hours before Virtua and Bradesco noticed the problem and corrected it. According to an official statement from Bradesco, approximately "only 1% of their customers" were affected and potentially re-directed to this malicious site. Unfortunately, 1% of their customers are almost 150,000 individuals and this represents potentially huge monetary losses

Similar cache poisoning events have been occurring for years, and the only complete defense is the implementation of the DNSSEC protocol. However, absent significant effort and support, this solution is unlikely to be available to the general public until 2011 at the earliest."

Source: “House Energy and Commerce Subcommittee on Communications, Technology, and the Internet Hearing”, TMCnews, Retrieved on 05/05/2009 from

Friday, May 1, 2009

Cybersecurity incentives, not mandates, needed

The U.S. Congress should look to provide incentives for private businesses to adopt stronger cybersecurity practices instead of creating new mandates, one information security expert told a congressional subcommittee Friday.

One role for government would be to continue to encourage the development of DNS Security Extensions, or DNSSec, a package of security fixes for the Internet Domain Name System, said Dan Kaminsky, director of penetration testing at cybersecurity vendor IOActive.

DNSSec would allow organizations to better trust Internet traffic coming from the outside, he said. "It will take some work; it will take a lot of work," Kaminsky added.

Source: "Expert: Cybersecurity incentives, not mandates, needed", Grant Gross, Retrieved on 05/02/2009 form

Wednesday, April 22, 2009

ISC Starts Development Work on BIND 10

Today, Internet Systems Consortium (ISC) revealed plans for BIND 10, the next generation of DNS server software. Like its predecessors, BIND 10 will be open source but it will also be modular, highly scalable and provide simple methods for configuration management and integration with other systems.
BIND 10 will include easy-to-use DNSSEC capabilities. "The design goal for DNSSEC in BIND 10 is to be usable by the typical DNS administrator with built-in safeguards for key management and renewal."

Thursday, April 9, 2009

NeuStar UltraDNS Downs Amazon, SalesForce, Petco

NeuStar confirmed that some of its UltraDNS managed DNS service customers were knocked offline for several hours Tuesday morning by a distributed denial of service attack.

NeuStar is a leading provider of high-availability DNS services to e-retailers including J.Jill and as well as high-tech companies such as Oracle and Juniper. Competitor Dynamic Network Services blogged about the UltraDNS outage earlier today, asserting that it affected,, and

NeuStar has been a leader in the push to deploy security extensions to the DNS infrastructure through an emerging standard dubbed DNSSEC. However, DNSSEC doesn’t address the problem of denial of service attacks. Instead, DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. Denial of service attacks, on the other hand, occur when a hacker disables a Web site by flooding it with bogus requests usually sent from a bot network.


Friday, April 3, 2009

What to Ask Vendors About DNSSEC?

The Basics:

Does it do DNSSEC according to the most recent RFC’s? (RFC 4033, 4034, and 4035)
Do your products have FIPS 140 certification?
Does it generate keys of the appropriate size? (2048 bit RSA/SHA-1)
Can the product be used to manage key material?
Can the product generate both NSEC and NSEC3 signed zones?
Can I sign/serve/manage multiple zones using this product?

The Not-So-Basics:

Does it integrate with ?
Does it work in your network infrastructure?
Does it work with MS Active Directory/Your DHCP server of Choice?
Can you use an HSM for key management with your product?
How do you update zone data using your product?
What about logging/Debugging tools?


Thursday, April 2, 2009

FISMA Requires DNSSEC on Internal Networks

If you work for a federal agency, you are probably aware of the OMB mandate that requires you to deploy DNSSEC on your external DNS by December 2009. Think you are out of the DNSSEC woods at that point? Think again.

According to a presentation at the recent GovSec conference by Doug Montgomery, Manager Internet Technologies Research Group at NIST, agencies should also be planning how they are going to sign their internal DNS. Why? Because revision 3 of NIST SP 800-53 says they must.

This new revision of the NIST document prescribes DNSSEC deployment for all federal IT systems (low, medium and high impact), which, of course, includes internal DNS systems. Once the initial draft of this document is finalized, which is expected to happen in May 2009, agencies will have one year to comply.

During the same DNSSEC session at GovSec, Susan Lightman, of the Office of Management and Budget, also indicated that OMB would begin conducting spot checks of agency’s DNSSEC deployment progress beginning in May or June of this year.

Source: Notify: The Latest in DNS News - April 2009, Secure64, Retrieved on 04/02/09 from

Monday, March 16, 2009

NIST SP 800-81 Revision 1

"When you type—or the Web address of your bank or an e-commerce site—into your web browser, you want to be sure that no one is hijacking your request and sending you to a bogus look-alike page. You’re relying on the integrity of the Internet’s “phone book,” the Domain Name System (DNS).

Computer scientists at the National Institute of Standards and Technology (NIST) are playing a major role in making sure that what you type is what you get by providing standards, guidance and testing necessary to bolster the trustworthiness of the global DNS. A draft update of NIST’s guidelines for DNS security is now available for public comment. "

Source: Safer Net Surfing Is Goal of NIST Domain Name Security Experts, NIST, Retrieved on 03/16/2009 from

Thursday, March 12, 2009

ISC Introduces DLV Web Interface for Rapid DNSSEC Deployment

ISC announced a new web-based interface for its DNSSEC Look-aside Validation (DLV) registry, a mechanism to allow domain holders to secure their domain information using the DNSSEC protocol extension to DNS in advance of a signed root or TLD zone.

ISC is introducing DLV and other DNSSEC and secure DNS services at the Government Security (GovSec) Expo and Conference in Washington, D.C. The new interface makes it easier for DNS administrators to join the DLV registry and maintain their data. DLV means that DNS administrators aren't dependent on others to get the full benefit of DNSSEC for their own portion of the name space.

For more information about ISC's DLV registry and DNSSEC services, please visit

Friday, March 6, 2009

Kaminsky Reluctant on DNSSEC

Dan Kaminsky, director of penetration testing at IOActive, got a lot of attention last year when he discovered a flaw in the Domain Name System, which underlies the Internet, that could allow poisoning of DNS caches. Since then, he said, he has become a believer in the DNS Security Extensions (DNSsec) for digitally signing DNS servers so that queries and responses can be trusted.

“I’ve never been a DNSsec supporter,” he said at the recent Black Hat DC security conference in Arlington, Va. But nothing scales like DNS, he said, including security tools. So he sees no other solution but to use DNSsec.

That doesn’t mean he’s happy about it. He said DNSsec is too complex to implement and administer, sentiments shared by many who have worked with the technology. But help is on the way as vendors develop appliances to automate the processes that generate and update keys and do the signing.

In the meantime, 25 percent of DNS servers have not been updated with the quick-fix patch issued last year for the vulnerability, and stealthy exploits have appeared. Kaminsky estimated that 1 percent to 3 percent of unpatched servers have been poisoned. It’s never too late to patch your servers, and it’s easier than implementing DNSsec.

Source: Government Computer News, "Kaminsky embraces DNSsec, reluctantly", Retrieved from from Mar 06, 2009

Thursday, March 5, 2009

dot-GOV DNSSEC Signed

The Dot-GOV top-level domain is now an active DNSSEC signed zone. All dot-GOV delegation DNSSEC information added to U.S. government agencies domain delegation records is now considered signed by the dot-GOV TLD.

A GSA hosted website has been developed ( to support the project and for hosting a link to the current dot-GOV public key (plain text file -, which should be used as the published trust anchor for dot-GOV. The site also includes additional links and help pages for implementing DNSSEC for U.S. federal agencies dot-GOV domains.

Wednesday, March 4, 2009

Government implements DNSSEC on the .gov domain

The government has digitally signed the .gov top-level domain, effectively implementing the Domain Name System Security Extensions (DNSSEC) protocols throughout the top tier of the federal Internet space.

“On Feb. 28, 2009, DNSSEC became operational on .gov after the program successfully completed all required DNSSEC testing,” the General Services Administration, lead agency in the program, said today in a statement.

The signing came one month after the January deadline set by the Office of Management and Budget in August. The deadline had been pushed back when GSA officials found during testing that an additional feature was needed in the DNSSEC software being used.

“The .gov DNSSEC public key was registered [Feb. 28] with the Internet Assigned Numbers Authority (IANA) Interim Trust Anchor Repository (iTAR) and became available for use as the published trust anchor for .gov validation,” GSA said in its statement. “The .gov Top Level Domain is now considered an active DNSSEC signed zone.”

The next step in the governmentwide effort to better secure its DNS is for agencies to begin deploying DNSSEC within their second-level domains, such as, by the end of the year.

Source: Government Computer News, "Government implements DNSSEC on the .gov domain", William Jackson, Retrieved from from Mar 05, 2009

DNSSEC Guidelines being updated

"The National Institute of Standards and Technology is updating its recommendations for meeting the unusual security challenges presented by the Domain Name System (DNS), which underpins much of the Internet by mapping user-friendly domain names to numerical IP addresses.

Achieving those goals requires good network security practices that encompass up-to-date software patches, process isolation and fault tolerance, and the use of the more specific DNS Security Extensions (DNSSEC) to digitally sign and authenticate DNS query and response transactions. Agencies were required to implement DNSSEC in the .gov top-level domain this year. However, the deadline has slipped because the government has been waiting for improvement to the software being used. Second-level domains, such as, are to be signed by the end of the year.

NIST outlined the following basic steps for deploying DNSSEC for zone information:

- Install a DNSSEC-capable name server.Check zone file(s) for possible integrity errors.
- Generate asymmetric key pairs for each zone and include them in the zone file.
- Sign the zone.
- Load the signed zone onto the server.
- Configure the name server to turn on DNSSEC processing.
- Send a copy of the public key to the parent for secure delegation (optional)

In addition to minor textual corrections, the guidance includes the following revisions:

- Updated recommendations for cryptographic parameters based on NIST Special Publication 800-57.
- A discussion of NSEC3 Resource Record in DNSSEC.
- A discussion of DNSSEC in split-view deployments.
-Minor fixes of examples and text.
- Examples based on the name server daemon and Berkeley Internet Name Domain software.

NIST will hold two public commenting periods. The first one ends March 31; send your comments on the updated guidelines to secureDNS(at) In addition to integrity and authentication, ensuring the availability of DNS services and data is also important. DNS components are subject to denial-of-service attacks that seek to block access to the domain names. The NIST document provides guidelines for configuring deployments to prevent many of the denial-of-service attacks targeted at DNS. "

Source: Guidelines for securing DNS being updated, Government Computer News (GNC), William Jackson, Retrieved on March 03, 2009 from